Re: [Dovecot] TLS/SSL for Win8 Outlook
On Thu, Jun 26, 2014 at 05:13:20PM +0200, Robert Schetterer wrote: Am 26.06.2014 11:53, schrieb Adi Kriegisch: On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote: Am 21.05.2014 19:47, schrieb Sebastian Goodrick: I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. read again orig thread, i ve tested brand new win 8.1 outlook 2013 install all latest patchlevel with dovecot 2.2.13 tls, no problem, the orig problem had gone using another crt from rapid-ssl by unknown reason, needless to say that there may tons of other reasons why it fails at your site, however im nearly sure tha tthere is no default bug in dovecot Right. The bug is in Windows: SHA512 isn't configured as a valid hash for a certificate (SHA256 and SHA384 are) and Windows is unable to provide a reasonable error message. (**) To solve this, adding RSA/SHA512 to the following registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions solves the issue. (This affects CACert as well as their default signature algorithm is SHA512 by now) Do not forget to reboot after adding this registry entry. -- Adi (**) In Windows 8, certificate validation seems to behave quite different for TLSv1.2 than for older protocol incarnations. So there might be other pitfalls as well (like for example self signed certificates including the CA flag set to true will not be considered valid)... PS: This hinted me in the right direction: http://www.michaelm.info/blog/?p=1273
Re: [Dovecot] TLS/SSL for Win8 Outlook
On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote: Am 21.05.2014 19:47, schrieb Sebastian Goodrick: I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. The suggestion to disable TLSv1.2 on the windows side is dangerous: win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of things! I decided to do some additional debugging by running 'openssl s_server' on the imap server with the very same certificates and settings (as far as it is possible with s_server) on a different port, changed the port in outlook and manually proxied the imap requests through: That way outlook works just fine: openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \ -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \ -dhparam /root/group16.pem (group16.pem contains 4096bit DH params that are standardized; on the dovecot side, the dhparam length is set to 4096bit as well) The very same thing happens with two different classes of ciphers: ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently added by the last update by Microsoft). So neither EC nor DHE cause any changes in the behavior (as I was suspecting dovecot's dh params for some time). I think something in the handshake doesn't work the way it should and causes ms crypto api (v6.3 and v6.2) to just close the connection after handshake (a paket capture just shows the client sends a RST after key exchange). there where some bugfixes with certificates ( windows ) but that should not impact brand new installs with full recent patch level AFAIK new (pretty cool) ciphers were introduced and I don't see how the issue can be solved by changing the certificate: I used a cert from CACert and a Cert signed by my own CA -- both resulting in a non-working connection between dovecot and outlook on win8(.1). However using the very same certificate with OpenSSL's s_server, the connection worked just fine (as did disabling TLSv1.2) -- both indicators that the certificates are just fine. The only thing I can imagine that EC and DHE have in common are some SSL extensions like session tickets (which outlook tried to use). Here are the details of the session outlook established with s_server: openssl sess_id -text -in param SSL-Session: Protocol : TLSv1.2 Cipher: C014 ## this is ECDHE-RSA-AES256-SHA or: Cipher: 009F ## this is with DHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: 0100 Master-Key: (...) Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1403774959 Timeout : 7200 (sec) Verify return code: 0 (ok) I hope someone can help me/us out here! Thanks! -- Adi (*) see https://bettercrypto.org for a usable cipher string...
Re: [Dovecot] TLS/SSL for Win8 Outlook
On Thu, 26 Jun 2014 11:53:49 +0200, Adi Kriegisch stated: On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote: Am 21.05.2014 19:47, schrieb Sebastian Goodrick: I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. The suggestion to disable TLSv1.2 on the windows side is dangerous: win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of things! I decided to do some additional debugging by running 'openssl s_server' on the imap server with the very same certificates and settings (as far as it is possible with s_server) on a different port, changed the port in outlook and manually proxied the imap requests through: That way outlook works just fine: openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \ -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \ -dhparam /root/group16.pem (group16.pem contains 4096bit DH params that are standardized; on the dovecot side, the dhparam length is set to 4096bit as well) The very same thing happens with two different classes of ciphers: ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently added by the last update by Microsoft). So neither EC nor DHE cause any changes in the behavior (as I was suspecting dovecot's dh params for some time). I think something in the handshake doesn't work the way it should and causes ms crypto api (v6.3 and v6.2) to just close the connection after handshake (a paket capture just shows the client sends a RST after key exchange). there where some bugfixes with certificates ( windows ) but that should not impact brand new installs with full recent patch level AFAIK new (pretty cool) ciphers were introduced and I don't see how the issue can be solved by changing the certificate: I used a cert from CACert and a Cert signed by my own CA -- both resulting in a non-working connection between dovecot and outlook on win8(.1). However using the very same certificate with OpenSSL's s_server, the connection worked just fine (as did disabling TLSv1.2) -- both indicators that the certificates are just fine. The only thing I can imagine that EC and DHE have in common are some SSL extensions like session tickets (which outlook tried to use). Here are the details of the session outlook established with s_server: openssl sess_id -text -in param SSL-Session: Protocol : TLSv1.2 Cipher: C014 ## this is ECDHE-RSA-AES256-SHA or: Cipher: 009F ## this is with DHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: 0100 Master-Key: (...) Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1403774959 Timeout : 7200 (sec) Verify return code: 0 (ok) I hope someone can help me/us out here! Thanks! -- Adi (*) see https://bettercrypto.org for a usable cipher string... I did some checking on MS forums for this problem. SMTP, Port: 25, Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E According to many of the posters, the problem is often causes by the AV program blocking or messing with port 25. What version of Outlook are you using anyway? -- Jerry
Re: [Dovecot] TLS/SSL for Win8 Outlook
On Thu, 26 Jun 2014 11:53:49 +0200, Adi Kriegisch stated: I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. A listing of all of Window's error codes: http://support.microsoft.com/kb/942495 -- Jerry
Re: [Dovecot] TLS/SSL for Win8 Outlook
Hi! I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. A listing of all of Window's error codes: http://support.microsoft.com/kb/942495 Yeah: 0x800CCC0E IXP_E_FAILED_TO_CONNECT Cannot connect to server Pretty helpful error message after all... ;-) Seriously, Outlook (tried 2007 and 2013) use the MS Crypto API for establishing the SSL connection. This works with openssl s_server but does not with dovecot. -- Adi
Re: [Dovecot] TLS/SSL for Win8 Outlook
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 26 Jun 2014, Adi Kriegisch wrote: I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. A listing of all of Window's error codes: http://support.microsoft.com/kb/942495 Yeah: 0x800CCC0E IXP_E_FAILED_TO_CONNECT Cannot connect to server Pretty helpful error message after all... ;-) Well, _did_ you've verified that the connection is started at all? I mean: http://support.microsoft.com/kb/302339/EN-US If you are connected to the Internet through MSN, the Microsoft Network, and you attempt to send messages by using an account other than your MSN e-mail account, you may receive an error message that is similar to the following error message: The connection to the server has failed. Account: 'account name', Server: 'SMTP server name', Protocol: SMTP, Port: 25, Secure (SSL): No, Socket Error: 10051, Error Number: 0x800CCC0E Cause This behavior can occur because MSN does not allow messages to be sent to another Simple Mail Transfer Protocol (SMTP) server while you are connected to their network. - From that description I would first check if this error means the basic TCP connection. No SSL stuff or something. Seriously, Outlook (tried 2007 and 2013) use the MS Crypto API for establishing the SSL connection. This works with openssl s_server but does not with dovecot. Actually, as Jerry already wrote, some other program may interfere, e.g. an antivirus program that stalls the connection as soon as the connection changes from text to binary after the STARTTLS command. That's what we had problems with. Did you checked the connection with wireshark / tcpdump on the server side? What side sents the last packet, does one side terminates the connection, ... ? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU6wGpHz1H7kL/d9rAQK+1gf/QTiHjIu+YLKLrzmp5L17i7DZuSGqtilG jpBm+psTpDkF1vFC9TA0F0r8JRTUrQAOLQsqfg3EZo7/ANwP+P/sW2wWR51Y3ZLt A5BYydEgFd6d3Tb+c2Zvx+B5/MXbFS/vggPnPnCHdMzCFucZOrevdfmtIKpILkt3 /u3+j3H34OOXXRYqbQcPK8P05wtLw1Rm1h5bMoBGEXeNJHHK53LKX93TRSB2Usza zhRryXw6rtnqlD4O/lkX1Z9K4CPsH8KHZAOHDRda/6mwBmrAIo4z/azajCjRZIcs GBgOh0Z50uu7SQQ36dthn7c9zB0x/Fcj0BTI3pehgILY+z1/QgdW5A== =7yQ4 -END PGP SIGNATURE-
Re: [Dovecot] TLS/SSL for Win8 Outlook
Hey! 0x800CCC0E IXP_E_FAILED_TO_CONNECT Cannot connect to server Pretty helpful error message after all... ;-) Well, _did_ you've verified that the connection is started at all? Yup. As written in my first mail, the client tears down the connection after the ssl key exchange with a FIN,ACK. I mean: http://support.microsoft.com/kb/302339/EN-US If you are connected to the Internet through MSN, the Microsoft Network, and you attempt to send messages by using an account other (...) (SSL): No, Socket Error: 10051, Error Number: 0x800CCC0E The windows machine is a vm on my machine. No antivirus, no nothing inbetween -- just win8.1 (at the latest patch level) and outlook. Did you checked the connection with wireshark / tcpdump on the server side? What side sents the last packet, does one side terminates the connection, ... ? Yes. And as I said already: the connection with s_server works from the very same setup. Here is a log extract from just right now with 'verbose_ssl': Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Warning: SSL failed: where=0x2002: SSLv3 read client certificate A [10.10.10.20] Jun 26 13:56:36 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=, rip=10.10.10.20, lip=10.10.10.10, TLS handshaking: Disconnected So, yes, I guess outlook talks to dovecot... -- Adi
Re: [Dovecot] TLS/SSL for Win8 Outlook
Am 26.06.2014 11:53, schrieb Adi Kriegisch: On Wed, May 21, 2014 at 09:14:26PM +0200, Robert Schetterer wrote: Am 21.05.2014 19:47, schrieb Sebastian Goodrick: I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. I am struggling with the same issue for some time now: win8/outlook isn't able to connect to dovecot 2.2.9 (from Debian/backports); the error on the outlook side of things is 0x800CCC0E which is really helpful. read again orig thread, i ve tested brand new win 8.1 outlook 2013 install all latest patchlevel with dovecot 2.2.13 tls, no problem, the orig problem had gone using another crt from rapid-ssl by unknown reason, needless to say that there may tons of other reasons why it fails at your site, however im nearly sure tha tthere is no default bug in dovecot The suggestion to disable TLSv1.2 on the windows side is dangerous: win8/8.1 requires TLSv1.2 for downloading updates -- no TLSv1.2, no updates. If absolutely necessary, disable TLSv1.2 on the dovecot side of things! I decided to do some additional debugging by running 'openssl s_server' on the imap server with the very same certificates and settings (as far as it is possible with s_server) on a different port, changed the port in outlook and manually proxied the imap requests through: That way outlook works just fine: openssl s_server -tls1_2 -accept 8993 -cert /etc/dovecot/my.crt \ -key /etc/dovecot/private/my.key -serverpref -cipher '...(*)' \ -dhparam /root/group16.pem (group16.pem contains 4096bit DH params that are standardized; on the dovecot side, the dhparam length is set to 4096bit as well) The very same thing happens with two different classes of ciphers: ECDHE-RSA-AES256-SHA (which is what win8/outlook used to use before the last update) and with DHE-RSA-AES256-GCM-SHA384 (which was just recently added by the last update by Microsoft). So neither EC nor DHE cause any changes in the behavior (as I was suspecting dovecot's dh params for some time). I think something in the handshake doesn't work the way it should and causes ms crypto api (v6.3 and v6.2) to just close the connection after handshake (a paket capture just shows the client sends a RST after key exchange). there where some bugfixes with certificates ( windows ) but that should not impact brand new installs with full recent patch level AFAIK new (pretty cool) ciphers were introduced and I don't see how the issue can be solved by changing the certificate: I used a cert from CACert and a Cert signed by my own CA -- both resulting in a non-working connection between dovecot and outlook on win8(.1). However using the very same certificate with OpenSSL's s_server, the connection worked just fine (as did disabling TLSv1.2) -- both indicators that the certificates are just fine. The only thing I can imagine that EC and DHE have in common are some SSL extensions like session tickets (which outlook tried to use). Here are the details of the session outlook established with s_server: openssl sess_id -text -in param SSL-Session: Protocol : TLSv1.2 Cipher: C014 ## this is ECDHE-RSA-AES256-SHA or: Cipher: 009F ## this is with DHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: 0100 Master-Key: (...) Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1403774959 Timeout : 7200 (sec) Verify return code: 0 (ok) I hope someone can help me/us out here! Thanks! -- Adi (*) see https://bettercrypto.org for a usable cipher string... Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] TLS/SSL for Win8 Outlook
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 every official up2date ssl crt should work, also dont forget to include intermediate crt/pem in your ssl dove chain I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. Regards, Sebastian -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlN85ssACgkQR7+YB0Qzbnpp7QCfWajiArksReRecfnBO+9++/pe SmkAn3W4UWmGYrVmAE4gSvEZimf5vWon =u6AH -END PGP SIGNATURE-
Re: [Dovecot] TLS/SSL for Win8 Outlook
Am 21.05.2014 19:47, schrieb Sebastian Goodrick: every official up2date ssl crt should work, also dont forget to include intermediate crt/pem in your ssl dove chain I just installed the (rapid-ssl) certificate and it works now. Needless to say that I don't understand it. The old certificate worked with all other clients but win8/outlook, plus the old dovecot install worked with win8/outlook as well. Regards, Sebastian endless speculation is now possible there where some bugfixes with certificates ( windows ) but that should not impact brand new installs with full recent patch level however good to hear you got it work Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] TLS/SSL for Win8 Outlook
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Sebastian, sorry for the delay ,i could not reproduce your problem, speculate you have wrong settings in your server/client setup and/or you have firewall loadbalancers, proxies between server and client which fail with some ciphers Thank you once more, Robert. I can exclude firewalls, loadbalancers and proxies. The client is set up from scratch plus there are seven existing Win8 installations, so I should say, it's not the client. I upgraded to dovecot 2.2.12 and openssl 1.0.1h (as shipped with Debian Jessie but installed on Wheezy). I'm using your settings for the ssl config. Openssl connect shows the same output as on your system. Still the same problem with Win8 though. I have just bought a rapidssl cert and will report back once I have received and installed it. Regards, Sebastian -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlN49hAACgkQR7+YB0QzbnrMFwCgl7wSXAhaKaO3/K+Rh35yCHuP 1GIAn1jBdorBJxh9iL/1LK6EX6+feqW3 =kTuo -END PGP SIGNATURE-
Re: [Dovecot] TLS/SSL for Win8 Outlook
Am 18.05.2014 20:04, schrieb Sebastian Goodrick: Hi Sebastian, sorry for the delay ,i could not reproduce your problem, speculate you have wrong settings in your server/client setup and/or you have firewall loadbalancers, proxies between server and client which fail with some ciphers Thank you once more, Robert. I can exclude firewalls, loadbalancers and proxies. The client is set up from scratch plus there are seven existing Win8 installations, so I should say, it's not the client. please double check this i.e your dove server is hosted elsewhere and the hoster hast some firewall/loadbalancer you dont know, use wireshark etc to trace traffic, or just use only virtual client and server on the same virtual private network for testing I upgraded to dovecot 2.2.12 and openssl 1.0.1h (as shipped with Debian Jessie but installed on Wheezy). I'm using your settings for the ssl config. Openssl connect shows the same output as on your system. Still the same problem with Win8 though. as written no problem here, i dont know if debian does something else with openssl then ubuntu, but i guess not only for testing i advice using plain mech at login dove, double check your outlook settings I have just bought a rapidssl cert and will report back once I have received and installed it. every official up2date ssl crt should work, also dont forget to include intermediate crt/pem in your ssl dove chain Regards, Sebastian Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] TLS/SSL for Win8 Outlook
Am 09.05.2014 08:29, schrieb Sebastian Goodrick: my speculate was, it leaves too less ciphers left OK, but does the old dovecot/openssl version provide less ciphers than the new install? sorry i am short in time dovecot hast setup options for ciphers related to your openssl version please read http://www.michaelboman.org/books/sslscan http://www.unixwitch.de/de/sysadmin/tools/imap-mit-ssl-testen https://sys4.de/de/blog/2013/08/15/dovecot-tls-perfect-forward-secrecy/ http://wiki2.dovecot.org/SSL/DovecotConfiguration http://www.heise.de/security/artikel/Forward-Secrecy-testen-und-einrichten-1932806.html I'm not too familiar with what ciphers ship with OpenSSL in what version. type openssl ciphers to see ciphers on your server with your openssl version and openssl s_client -connect imap.example.com:143 -starttls imap for general testing My naive assumption is, a new version ships with more ciphers, hence this shouldn't be an issue. (Unless there is a new bug in a cipher.) there must be matching ciphers Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options I just learned, there is a tool called gpedit.msc on win8 :) Use FIPS compliant algorithms for encryption, hashing, and signing is disabled on my machine. From what I understand this indicates, that it can use more/all available ciphers. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Lsa/FIPSAlgorithmPolicy/Enabled I can find this key (it is set to DisplayType=0 and ValueType=4) but I don't understand what I can change there and what this setting indicates. Needless to say that my windows administration knowledge is limited. as written i will test it, but it will take time Regards, Sebastian Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: [Dovecot] TLS/SSL for Win8 Outlook
Am 08.05.2014 21:29, schrieb Sebastian Goodrick: perhaps this has impact...just an idea http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx so my specutlation, on win 8 fips mode enabled ,is default currently, ( please verify this ) , but it should be disabled be causing too much trouble... On my fresh install of Win8.1: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy Enabled=0 hm.. Indicating that FIPS mode is disabled. As far as I understand FIPS it disables certain ciphers / protocols. However, my new dovecot/OpenSSL version provides more and stronger ciphers, so FIPS shouldn't be an issue (well, in theory). definiton of strong maybe variable my speculate was, it leaves too less ciphers left Regards Sebastian i will test this now with my win8 and new dove installation, but it will take time doing endless win upgrades in the vm first Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
